jees nice! i was stuck with Testimonial for forever....i thought, hey its an easy box so looks like an ssti with some sort of filtering, ok i got that.. but to overwrite the file was not something i came up as a beginner. tricky box! nice vid :)
Testimonial took me forever, managed to solve it 20 mins before the end after going back to it a second time. Hade the right idea all along, but had so many issues.
Nice explanations. For Testimonial what I did was I added an endpoint in main.go for command execution. A webshell basically. This works because it's launching the app with "air" which is a live reloader for Go apps. Then I triggered the reload by uploading a .tpl file because that's one of the file extensions air was looking for. It's in the .air.toml config file.
Oh damn! Completely missed all of that lol. I was looking at Go reverse shells but I thought I would need to compile it first. When you say you added an endpoint in main.go, you replaced the file with your shell or did you copy the existing code, append your endpoint to it and then submit the the lot as testimonial? Did you make a writeup?
@@_CryptoCat Testimonial got on my nerves. Had to go back to it a second time on another day and finally solved it 20 mins before the CTF ended. Making the exploit locally in Docker was important because it gives error messages and it's also a lot faster to reset when the Go program crashes. However, my first Docker (on a different machine) did not pick up on the file changes when I found the file write vuln. This threw me off massively.
@@_CryptoCat I effectively did it all in Go. I copied the client.go and modified it to do what i wanted it to do. I also just sent the payload as a multiline string from inside client.go overwriting index.templ. I had to look up what the Air functionality was which you could see from inside the docker container where it said it was 'watching directories' and i tested it once i had my client.go working. Good fun! and thanks for the writeup
Didn't get that one sorry! I looked at pwn for about 10 min then went back to web 😅 Haven't done much pwn over the last year tbh as I want to get some web certs and eventually do some bug bounty 😁
I am indeed! I use VMs habitually. In fact, I make a snapshot at the beginning of every CTF and then revert to it after the event ends (or every time my desktop gets too messy during the comp) 😁
Ive noticed burp suite to be used for many challenges, is burp necessary for most challenges and is there a series or video to learn burp more in depth?
It's definitely not necessary! Most of what you can do in burp you can also do in your browser devtools, or you could just write your own python script or something. There's other proxy tools as well, e.g. OWASP ZAP or a new, popular alternative to burp called "Caido". I'd definitely recommend checking Caido out, I would use it if I didn't already have a burp pro license. Regarding videos, you can probably find a lot online.. I made one a few years ago that was quite in-depth: ruclips.net/video/24dUQ1LvopE/видео.html -- I'm also starting a new series atm on Portswigger's Gin and Juice shop so the first ep has a bit of a burp crash course: ruclips.net/video/FPzoD_nUQYU/видео.html 🙂
It's been a while since I used ZAP but I think it does have a vuln scanner. I wouldn't expect it to be anywhere near as powerful as burp tbh but would be interested to know if it can also flag these issues!
@@ronnie_365 No problem! Yeh, burp isn't worth it really unless you are pen-testing or doing bug bounty professionally. You can get a trial for free though, I used mine ages ago to do the portswigger labs that require burp collaborator.
SerialFlow... So I had everything right but it is when putting in burp. I had like error of the server I never figure it out. And also that curl was not in the docker so it is normal that I have never seen something :c
very nice writeups. i hope you had as much fun as i had. htb is always a treat in my opinion
Thanks 🥰 I did! I don't play HTB as much as I used to but when I do, I always learn some new things 🧠
Finally I’ve been waiting for someone to make a video. Thank you
👊
Your videos are always amazing. Whenever I watch you I learn something new. Thank you for this.
Thank you! 🥰
jees nice! i was stuck with Testimonial for forever....i thought, hey its an easy box so looks like an ssti with some sort of filtering, ok i got that.. but to overwrite the file was not something i came up as a beginner. tricky box! nice vid :)
"easy box"? No.. It is "easy hackthebox" (aka hard 😂)
Thanks 🙏🥰
Testimonial took me forever, managed to solve it 20 mins before the end after going back to it a second time. Hade the right idea all along, but had so many issues.
@@HAGSLAB Clutch! 🏅
Very good explanation! Nice work! 👏❤
🙏🥰
nice explanations!
Thank you! 💜
Nice explanations. For Testimonial what I did was I added an endpoint in main.go for command execution. A webshell basically. This works because it's launching the app with "air" which is a live reloader for Go apps. Then I triggered the reload by uploading a .tpl file because that's one of the file extensions air was looking for. It's in the .air.toml config file.
Oh damn! Completely missed all of that lol. I was looking at Go reverse shells but I thought I would need to compile it first. When you say you added an endpoint in main.go, you replaced the file with your shell or did you copy the existing code, append your endpoint to it and then submit the the lot as testimonial? Did you make a writeup?
@@_CryptoCat Testimonial got on my nerves. Had to go back to it a second time on another day and finally solved it 20 mins before the CTF ended. Making the exploit locally in Docker was important because it gives error messages and it's also a lot faster to reset when the Go program crashes. However, my first Docker (on a different machine) did not pick up on the file changes when I found the file write vuln. This threw me off massively.
@@_CryptoCat I effectively did it all in Go. I copied the client.go and modified it to do what i wanted it to do. I also just sent the payload as a multiline string from inside client.go overwriting index.templ. I had to look up what the Air functionality was which you could see from inside the docker container where it said it was 'watching directories' and i tested it once i had my client.go working. Good fun! and thanks for the writeup
Amazing Walk through 🔥🔥 great work 💯💯
Thanks bro! I read some of your bug bounty writeups, great work yourself! 👊
good content man!
Thank you! 🙏🥰
Thank you!!!!
Welcome! 💜
Nice! did mainly rev and pwn. Still haven't pwned maze_of_mist and still working but can't find a way... Do you plan to make a video on it?
Didn't get that one sorry! I looked at pwn for about 10 min then went back to web 😅 Haven't done much pwn over the last year tbh as I want to get some web certs and eventually do some bug bounty 😁
@@_CryptoCat That makes sense
A bit silly question. You're not using Parrot on a VM, right?
I am indeed! I use VMs habitually. In fact, I make a snapshot at the beginning of every CTF and then revert to it after the event ends (or every time my desktop gets too messy during the comp) 😁
Ive noticed burp suite to be used for many challenges, is burp necessary for most challenges and is there a series or video to learn burp more in depth?
It's definitely not necessary! Most of what you can do in burp you can also do in your browser devtools, or you could just write your own python script or something. There's other proxy tools as well, e.g. OWASP ZAP or a new, popular alternative to burp called "Caido". I'd definitely recommend checking Caido out, I would use it if I didn't already have a burp pro license. Regarding videos, you can probably find a lot online.. I made one a few years ago that was quite in-depth: ruclips.net/video/24dUQ1LvopE/видео.html -- I'm also starting a new series atm on Portswigger's Gin and Juice shop so the first ep has a bit of a burp crash course: ruclips.net/video/FPzoD_nUQYU/видео.html 🙂
@@_CryptoCat I’ll check those out! Thanks!!
Your content is really good 🎉
And you are the only RUclipsr who replied to me on discord ❤❤
Thank you! Really appreciated 😊 Of course, I try to reply where I can 👍
Can zap proxy do such active scans?
It's been a while since I used ZAP but I think it does have a vuln scanner. I wouldn't expect it to be anywhere near as powerful as burp tbh but would be interested to know if it can also flag these issues!
@@_CryptoCat I will give a try cause burp is pricey for beginners,.thanks for the reply
@@ronnie_365 No problem! Yeh, burp isn't worth it really unless you are pen-testing or doing bug bounty professionally. You can get a trial for free though, I used mine ages ago to do the portswigger labs that require burp collaborator.
hii sir Also make guide video on the ctf challanges
Misc
Reversing
Forensics
Crypto
Pwn
Blockchain
Hardware
I didn't solve them, sorry! Check out SloppyJoePirates video though, he solved a lot! I linked in the description 😀
@@_CryptoCat Thanks.
genuinely thought sqlmap was not allowed
Some CTFs do say don't use automated tools but generally if there's dedicated instances, you are good 🙂
@@_CryptoCat I was a bit worried about throwing sqlmap at it as well, but I didn't feel scripting it all out 😆
SerialFlow...
So I had everything right but it is when putting in burp. I had like error of the server I never figure it out. And also that curl was not in the docker so it is normal that I have never seen something :c
curl not being on the box had me stuck for an embarrassingly long time 😅
bro can i pretty please join your team next time? I solved 11 challenges btw
Yeh sure, why not? 🙂 I normally play with the Irish CTF team but sometimes I join / form new team for an event (as I did with this one).
@@_CryptoCat Letssss goooo team CryptoCat
too bade you didnt do all of them web challs
yeh 😞